In most organizations, Application Security is sadly behind in adoption, especially when compared to Network Security. And yet, with 84% of attacks aimed at the application layer, we need to turn our focus more towards AppSec. As we use and deploy more and more apps, the interdependencies between them complicate internal infrastructures, leading to more opportunities for misconfigurations and holes that could be used by attackers.
But sound application security practices are a major business enabler which can actually help your organization stand apart from the pack. The way to make this happen is to determine those areas that are especially important in helping your AppSec program not only succeed, but stand out.
As we move towards AppSec maturity, it’s important to look at how to take our AppSec programs from zero to hero. So, to help you make your AppSec routine succeed, we’re laying out five of the top ways to make your AppSec program stand out!
- Offer Continuous, Relevant Security Training to Company Stakeholders
Security training is vital to the longevity and health of a long-term AppSec program. And while training developers in the best secure coding practices is the most important part of this tip, training and security education should extend to all company stakeholders. From management down, each department should have a responsibility to work securely in whatever they’re doing.
The key is to understand how each department uses software and to tailor training towards those needs. While developers require extensive secure coding and testing training, management may need a lesson on spear-phishing or a deeper understanding of compliance issues, while the marketing and sales teams may need a refresher course on spear-phishing and avoiding risky downloads.
When all it takes is a single risky click in an email or on a website in order to potentially infect the entire organization, it’s up to the security team to make sure employees from all areas of the organization have an understanding of at least basic security issues and concepts. Hosting continuous training sessions also keeps security on top-of-mind for employees across the organization, promoting a more secure culture all around.
Read more about what Checkmarx CTO Maty Siman has to say about the Importance of Application Security Awareness Training here.
- Track Open Source and Third-Party Components
Open source and third-party components are a major plus for many organizations, as they save development teams time and resources, while also speeding time to market and enabling higher rates of innovation. So there’s no mystery in the fact that the average application is composed of nearly 90% of open source components – and while it’s great news for developers, we still need to be extra careful when it comes to tracking our open source components and how they’re used.
Open source isn’t less secure than proprietary code, it’s just much more visible, available for anyone to use….or abuse. In a recent study, it was found that 60% of apps had open source security vulnerabilities, while the numbers got worse for financial and ecommerce apps. 83% of apps in the retail and ecommerce industries were found to be vulnerable, while there were an average of 52 vulnerabilities per application in the financial industry.
With the addition of ‘Using Components with Known Vulnerabilities” to the latest OWASP Top 10 list, we should already have a more keen interest in keeping open source security risks out of our applications.
As the shift towards using more open source code continues, another way to keep your AppSec program a step ahead is to closely track and monitor open source components used throughout your application inventory. Keep an inventory of all the open source components – and their dependencies – used by your teams, and enforce a policy of correctly using and logging open source components. In addition, keeping updated on open source vulnerabilities in your adopted components will go a long way in keeping your code free of the next Heartbleed or Shellshock.
- Integrate AppSec Practices in Each Stage of the SDLC
With fast-paced, agile development processes, like DevOps, sweeping the software industry and beyond, it’s been a godsend for security teams that may have been behind in their tech or processes before. There is simply no way to do DevOps without a Secure SDLC in place, giving security a prime opportunity to catch up to the rest of the DevOps teams.
Even if your organization has yet to take the DevOps leap, you can reap the many, many benefits of integrating security throughout your SDLC. Because no matter if you’re developing using a waterfall method, DevOps, or anything in between, integrating application security practices in each stage of the development lifecycle is imperative to becoming and staying proactive in your AppSec program. Your organization can no longer wait for vulnerabilities that were discovered at the end of the cycle to be fixed, and the alternative – releasing software with known risky bugs – is also not an option.
Find the Secure SDLC model that works best for your development processes and the security team (US-CERT has a nice, meaty overview of the most popular models) and get management and development team leaders on board so that everyone knows what you’re working towards. Educate your developers in secure coding practices, and get feedback from them on how they think security processes can be improved. When you’re ready, use a measurement benchmark to see how you compare to similar organizations, and use that as a way to improve your own processes.
Nothing stands out more – and for the best reasons – than having a smooth, secure SDLC where releases are on-time and bug-free.
- Create a Reusable AppSec Checklist for Each Stage of the SDLC
Once you’ve adopted a Secure SDLC, you’re on your way towards a mature AppSec program. But with so many moving parts in software development, keeping track of all the security activities done throughout the SDLC can sometimes be difficult, and can hinder the security team’s ability to stay proactive. One way to keep everyone on the same page and make sure things are running smoothly is to create a checklist that incorporates each security activity, split into the different stages of the SDLC.
Even something simple like a checklist can make security run smoother, and make performing security activities easier on everyone involved. Bonus tip: Go with a digital checklist that can be accessed and understood easily by anyone involved, which means keeping security jargon to a minimum.
- Strengthen Your Developer Relationships for Ultimate Collaboration
Last, but not least, is all about having better relationships with your development counterparts. Those in organizations practicing DevOps or other agile methods will already understand the value – for yourselves and the overall business value – of having strong relationships with developers. For two teams whose work involves and encompasses each other, there’s a shocking lack of mutual understanding between developers and security teams – and that’s a great place to make a mark in your organization.
For one, understanding each other better, and how we each work, can have a profound effect on respecting each other more. It can also help show how you can work better together, and which areas need to be improved. By simply opening up a line of communication with developers can move you towards improved relations – it doesn’t even have to be work-related: some of the best DevSecOps organizations get together for beer, or pizza.
Once you’ve broken the tensions, improvements can actually be made. Identify AppSec Champions amongst developers and invite them to OWASP meetings or to sit in during security planning. With these small gestures, you’ve planted the seeds for more successful, less tension-filled collaborations between your teams. And that is no easy feat!
Continue your reading:
Quick Tips To Secure Your SDLC
Latest posts by Sarah Vonnegut (see all)
- How Secure is Your Online Banking App? - February 26, 2018
- Top 5 OWASP Resources No Developer Should Be Without - January 9, 2018
- Smart Cities: Can My City be Hacked? - December 11, 2017